If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

Cryptography Introduction.

A very basic introduction on cryptography.

Dear AO.

In this tutorial i will try to cover cryptography in general with a few common used ways of encryption. This tutorial will be based on SuSE Linux. I'm sure that most of what i will cover here will work on any *nix system. The main topics which i will cover are:

1 – A brief introduction on the history of cryptography.

2 – Symmetric and Asymmetric cryptography.

3 – Digital Signatures.

4 – Secure Shell (ssh)

5 – Pretty Good Privacy (pgp)

6 – GNU privacy Guard (GNUPG)

7 – Virtual Private Networks (VPN)

8 – Site to site VPN with Crypto IP Encapsulation (CIPE)

As usual, please forgive any bad English or typos, since all my sources and knowledge on this are in the German Language.

Special Note: I WILL NOT GO INTO A LOT OF DETAIL ON HOW TO SETUP OR CONFIGURE ANYTHING. I WILL PROVIDE ONLY GENERAL INFORMATION AND WHERE TO FIND INFORMATION REGARDING CONFIGURATIONS SUCH AS LINKS OR MAN PAGES. THIS TUTORIAL IS NOT MEANT TO TEACH YOU HOW TO SETUP ANYTHING, BUT ONLY TO PROVIDE THE INFORMATION ON WHAT CRYPTOGRAPHY IS AND THE DIFFERENT KINDS OF CRYPTOGRAPHY. THE INFORMATION I PROVIDE CAN TEACH YOU HOW TO DO ALL THIS PROVIDING YOU RTFM THE INFORMATION GIVEN HERE BY ME.

1 – A brief introduction on the history of cryptography.

A very old method used was to hide the original message by using an invisible ink. The next method was to display the message publically, masking it with secret “characters/symbols” to make it unreadable. An example to this was Leonardo da Vinci. He wrote his notes backwards (mirrored) so it could only be read inside a mirror. Because at his time, most of the people could not read or write in general, this method made his notes secure from others.

The attempt to substitute clear text from masked “characters/symbols” offers no real security, and what makes it even worse, if someone was able to “decrypt” it, then these so called substitutes became useless and new ones would have to be created/found. A better solution to do this would be to actually keep the “ingredients” and change only the encoding's regulations which could be changed at any given time. This great advance was introduced by Caeser with a technology named after him. This technology does not use any masked characters or symbols. Only the normal alphabet is used with a built in encoding variable. An example would be as follows:

Modern cryptography is a mathematic discipline, combined with informatics. The use of modern cryptography has expanded a great deal thanks to the Internet and its commercial uses such as e-commerce, and e-cash. The basics have remained though. The secrecy from saved and sent information, and its authentication (proof that the data and its source are original) belongs to these basics.

2 – Symmetric and Asymmetric cryptography.

A system which uses symmetric encoding means that en-/de-crypting uses the same key. Symmetric encoding has the disadvantage of which both communicating parties must find a secure way to exchange the key. Anyone who would get his hands on that key, would be able to decrypt.

For systems using asymmetric encoding this disadvantage does not exist, because the encryption and decryption uses different keys. Today's possibilities using asymmetric cryptography means that the 2 keys in pairs are created with a mathematical method giving them an opposite effect. Data which is encrypted with one key can only be opened with its 2nd key pair. This makes it possible to make the key used to encrypt public. Today's most known and used asymmetric encryption method is called RSA, which is named after its developers Rivest, Shamir, and Adleman. RSA and many other patented methods are highly disliked by Open Source developers. The fact that a RSA patent in the USA has just expired does not change anything for this general situation. Developers who want to share their software for free, such as software under the GNU (General Public License (GPL)) cannot afford to pay the license costs for this algorithm.

3 – Digital Signatures.

Asymmetric encoding methods can not only be used to encrypt data, but also to digitally sign data (messages). It is also possible to use the same key when encrypting or signing messages. The following 2 reasons will explain why though this is a very bad idea.

A – Depending on the rules and laws in your country, you can be forced to give out your private key used to encrypt. If you use 2 different key pairs to encrypt and digitally sign your data, then even if you give out your private key, it is not possible to fake the signature or decrypt, since the signature key remains secret.

B – Under certain circumstances it is possible to fake a signature if you use the same key pair to encrypt and sign your data/messages.

A few possible attacks against digital signatures are explained with great detail by Bruce Schneyer's “Used Cryptography” which is available by Addison-Wesley, and Bonn from 1998.

4 – Secure Shell (ssh)

Under the name Secure Shell, there is a collection of alternatives for telnet, rlogin, ftp, and other applications with similar functions. The normal applications transfer data and passwords in clear text across a network. Once that network is accessible from a public network or the Internet, it is time to replace these applications with secure variants which are provided by SSH. SSH encrypts the entire data communication securing network connections from attacks. Except the substitution for telnet, rlogin,rcp, and ftp ssh also offers other possibilities to secure network services using encrypted tunneling.

SSH includes the program ssh (secure shell) which replaces telnet, rlogin, and rsh.
The program scp (secure copy) which substitutes rcp (remote copy) and ftp (file transfer protocol).
The sshd (secure shell daemon) provides the server side for the so called client applications. Also, ssh provides helper applications such as ssh-add, ssh-agent, and ssh-keygen. There are 2 variants of ssh. SSH and OpenSSH. SSH is the orginal and commercial software. OpenSSH comes from the OpenBSD-Projects as an alternative to SHH and is licensed by the BSD license, making it available for anyone freely.

New versions of SSH have brought upgraded protocols with them in the past. OpenSSH is supported by protocol-version 1.3, 1.5 and 2.0. (im not sure about v3.0 and up). Except the license, there are no differences worth mentioning. SuSE and other distributors have included a free version of SSH aswell as the OpenSSH package in the SuSE Linux distribution. The documentation for each individual programs are inside your man pages:

man ssh (OpenSHH Secure Shell Client)

man sshd (Secure Shell Daemon)

man ssh-keygen (Key generator)

man ssh-add (RSA-Authentications-data for the Agent)

man ssh-agent (The Agent puffers Authentications-Data during a login session making a passwordless login possible to a remote computer with password protected keys)

For windows clients, you can use tools such as TTSSH or putty.exe to remotely administer your *nix systems.

5 – Pretty Good Privacy (pgp)

Philip R. Zimmermann developed Pretty Good Privacy to protect exchange of e-mails from preying eyes who are not supposed to get the information inside the e-mails. The US government had started a 3 year investigation against him for breaking the US cryptography export laws because PGP uses very strong encryption and he offered it as freeware worldwide (2048 bits hehehe ). Although the fact that no payed developers or any companies were involved with the PGP product, or the US government's attempt to stop him from giving PGP to the whole world, PGP is now the MOST used software worldwide for e-mail encryption. After the US government stopped investigating against Philip in 1996, he created the company PGP Inc, which was bought in 1997 by Network Associates.

PGP is available in 2 variants:

A – the original free version which is given out by Network Associates along with MIT for all kinds of operating systems. The Linux version comes from this source.

B – The commercial version which is given out by Network Associates. The difference between the free version and the commercial version is the GUI version, the Outlook plugin, and the S-Mime-support through X509-certificates.

6 – GNU privacy Guard (GNUPG)

The commercialization of PGP and the splitting it into a freeware version not to be used for commercial purposes and the commercial version itself let developers develop an alternative which would run under the GNU Privacy Guard (GPG or GNUPG) aka Open PGP.

For Linux there is no real reason anymore to use Pretty Good Privacy. GNUPG supports everything needed to provide a safe method of exchanging e-mails. GNUPG is compatible with PGP. At times, GPG is even more/better compatible to the commercial PGP version than the Freeware PGP version itself.

SuSE Linux and other modern distributions also include a pre-configured GNUPG and a freeware-PGP. Linux users will find PGP and/or GNUPG support inside the terminal clients such as mutt, and pine (need pgp4pine also included) or even in EMACS. KDE users can find PGP and GNUPG support in Kmail.

To create a keypair within your shell (this is a copy paste from my shell prompt.

instronics@mybox:~ > gpg –gen-key

will create a key pair. Just simply answer the questions the program will ask of you.

After this, by:

instronics@mybox:~ > gpg –list-keys

you can view the key entries.

To import public keys issued by friends, relatives, customers, or anyone really who you wish to use encryption of e-mails with, type in:

instronics@mybox:~ > gpg –import filename

In order to export your public keys and to make them import-able for other:

(Grrr, i got carried away with details. Im really sorry that i am not providing a lot of details about how to configure or setup these things as you are used to by me. But if i would have done all that, then this tutorial would have become a 50 page tutorial. Who knows, i might actually make a more detailed one some day when i have the time.)

Using the fingerprint we just made, you can verify the key at any time. It is therefore a good idea to print the fingerprint for example on a card or something that you would give a person by hand. Therefore you can place the public key on your website.

In order to see how to sign a key, what a public keyserver is and everything else related to GNUPG which i will not post here have a look at: http://www.gnupg.org/gnupg.html .

The use of GNUPG or also PGP is for KDE users thanks to Kmail very easy and simple.

The PGP user identity is the e-mail address which is used upon creation of the key pairs using gpg –gen-key.

7 – Virtual Private Networks (VPN)

Although some vendors and service providers might disagree, in common usage a virtual private network is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access, that communicates "securely" over a public network. VPNs may exist between an individual machine and a private network (client-to-server) or a remote LAN and a private network (server-to-server). Security features differ from product to product, but most security experts agree that VPNs include encryption, strong authentication of remote users or hosts, and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network. Examples of where VPN can be used are:

A – A secure connection of LANs from different locations (Company building A to company building B).

B – To allow users to connect to a company from another location.

C – The extension from a company network to its suppliers and partners (e-commerce).

D – A secure connection for online banking from a customer to the bank's server.

VPNs can be put into 3 variants.

A – End-to-End:

The virtual connection will be switched to different computers.

B – Site-to-Site:

This is the classic internet variant. So called VPN routers using a form of tunneling to connect multiple LANs across an unsafe/public network such as the Internet.

C – End-to-Site:

This is a classic variant used to allow access to the LAN from users who are outside the LAN, such as home workers, Tele-workers, aswell as customers. Mostly used by people who need to access their work from home or other locations. This is also called RAS (Remote Access Service).

IMPORTANT NOTE: IT IS HIGHLY ADVISABLE TO NOT SETUP A FIREWALL TO ACT AS A VPN SERVER TOGETHER WITH A RAS SERVER. Although technically it is possible.

Such systems can become very quickly very complicated. Complicated means unsafe, due to the fact that complicated systems are much more vulnerable to mistakes compared to “slim” systems.

Firewalls are typically placed between public networks and private networks. They control the traffic between the public network (such as the Internet) where many dangers may lurk and the LAN where many trusted hosts/users want to communicate via a network and who wish to remain safe from an untrusted network. If the firewall does have to allow access to the internal LAN, then the amount of work for a system administrator is a lot less and easier.

VPN-Servers are typically placed between public networks and internal networks. They control the traffic between different locations which share the trusted network. Compared to a firewall, it only controls the traffic within the local trusted network.

RAS-Servers make it possible for employees outside of the company to access the company network, people such as Tele-workers. These are for people that are trying to connect from a location thats not 100% trusted. So its in between the firewall and the vpn server. (the privelege stage, not the physical location.)

8 – Site to site VPN with Crypto IP Encapsulation (CIPE)

The CIPE-Project offers software that will allow the use of encrypted routers in Linux. This protocol is very slim and efficient. CIPE was developed to be able to create encrypted tunneling using the UDP protocol. This solution is not so flexible like IPSEC for example, but to connect 2 trusted networks between a untrusted (Internet) this solution is very good. Also available are CIPE implementations for win32 systems.

CIPE is very well documented. In SuSE Linux you can find information on it in /usr/share/doc/packages/cipe. If in that directory you could also type in:

instronics@mybox:~ > info -f cipe.info

for more information.

A CIPE connection is always between 2 end points (point-to-point) which make the entrance and exit of the tunnel. The actual versions are 1.3.0, and 1.4.3 and they need a 128 bit encryption key which must be present on both sides of the tunnel (both computers that wish to use CIPE). This connection key is a static key which will handle all new dynamic keys needed to make the tunnel.

A future version of this is already being planned, to handle the dynamic keys to be protected by a public key, similar to the Secure Shell (SSH) process. The static keys aka shared secret will then not be needed anymore.

SuSE Linux comes with a pre-configured CIPE-Packet which you can choose during the installation, and can then configure to your likings. You can set it to start in /etc/rc.config by editing the variable in there. Once configured, you start it with rccipe start and stop it again with rcceip stop. (the rc's are a feature in SuSE Linux to start and stop different scripts or applications.)

The files are located inside /etc/cipe. Please read the CIPE manuals for more detailed information on how to configure it between hosts.

I would love to include VPN with IPSEC to this document, but alas my knowledge on this is very poor, so i choose not to write anything about this subject. Also because i use CIPE, so IPSEC is not of any interest to me. For information on IPSEC, make sure the package is installed, then look at the files inside /etc/ipsec.*

I hope that this document comes in handy for people who wish to learn and understand what cryptography is and where it is usefull. Until the next time.